Upcoming Official Symfony Conferences
If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2018-14774: Possible host header injection when using HttpCache

CVE-2018-14774 fixes a possible host header injection when using HttpCache

CVE-2018-14773: Remove support for legacy and risky HTTP headers

CVE-2018-14773 fixes a possible URL injection in HttpFoundation

CVE-2018-11385: Session Fixation Issue for Guard Authentication

CVE-2018-11385 fixes a session fixation issue when using Guard authentication.

CVE-2018-11386: Denial of service when using PDOSessionHandler

CVE-2018-11386 fixes a possible denial of service when using PDOSessionHandler.

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

CVE-2018-11407 fixes an unauthorized access on a misconfigured LDAP server when using an empty password.

CVE-2018-11408: Open redirect vulnerability on security handlers

CVE-2018-11408 fixes an open redirect vulnerability on DefaultAuthenticationSuccessHandler and DefaultAuthenticationFailureHandler.

CVE-2018-11406: CSRF Token Fixation

CVE-2018-11406 fixes a possible CSRF token fixation.

CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS

CVE-2017-16653 fixes CSRF protection which did not use different tokens for HTTP and HTTPS.

CVE-2017-16652: Open redirect vulnerability on security handlers

CVE-2017-16652 fixes an open redirect vulnerability on DefaultAuthenticationSuccessHandler and DefaultAuthenticationFailureHandler

CVE-2017-16654: Intl bundle readers breaking out of paths

CVE-2017-16654 fixes the possibility for the Intl bundle reader to break out of paths.